AWS re:Invent 2025 - AWS detection and response innovations that drive security outcomes (SEC323)

AWS Detection and Response Innovations for Security Outcomes

Overview

• This presentation covered the latest innovations in AWS's detection and response services, including Amazon Guard Duty, Amazon Inspector, and AWS Security Hub.
• The goal is to help customers overcome common security challenges around fragmented visibility, disconnected security signals, and delayed responses.
• Key objectives include protecting workloads, centralizing monitoring, enhancing visibility, and enabling quick investigation and response across hybrid environments.

Amazon Guard Duty

• AWS's fully managed threat detection service that uses various techniques to identify threats impacting workloads, identities, containers, databases, and Lambda functions.
• Utilizes foundational data sources (flow logs, DNS, CloudTrail) and optional protection plans (S3, EKS, RDS, Lambda, runtime monitoring) to gain comprehensive visibility.
• Applies threat intelligence from external sources as well as internal Amazon threat research to detect suspicious and malicious activity.
• Provides extended threat detection capabilities that use machine learning to identify multi-stage attack sequences across data sources.
• Includes malware detection for EBS volumes and S3 buckets to scan for and prevent malicious content.
• Supports delegated administration through AWS Organizations for centralized configuration and auto-enablement.

Amazon Inspector

• AWS's vulnerability assessment service designed for cloud-native applications, providing continuous scanning of EC2, container registries, Lambda functions, and infrastructure-as-code.
• Identifies software vulnerabilities, unintended network exposures, and prioritizes remediation based on factors like active exploitation, usage, and compliance requirements.
• Integrates with CI/CD pipelines and developer tools to shift left and prevent vulnerabilities from reaching production.
• Provides remediation guidance, including automatically generated patches, to simplify the fix process.

AWS Security Hub

• Unified security service that aggregates findings from Guard Duty, Inspector, Config, Access Analyzer, and other sources.
• Provides an exposure-based risk assessment, visualizing attack paths and interconnected resources to prioritize remediation.
• Includes an asset inventory to understand what exists in the environment and the associated security findings.
• Enables simplified pricing and deployment, bundling key security capabilities into packages.
• Integrates with OCSF (Open Cyber Security Framework) to standardize findings for easier integration with other tools.
• Combines automated triage with human expertise through the AWS Security Incident Response service, providing 24/7 access to incident response support.

Business Impact

• Unifies security data and tooling to provide a centralized view of risk, enabling faster and more effective response.
• Shifts security left by integrating vulnerability and compliance checks into development workflows.
• Simplifies pricing and deployment of key security services, lowering the barrier to adoption.
• Leverages AWS's scale and threat intelligence to provide comprehensive protection against evolving cyber threats.
• Empowers security teams to focus on high-impact tasks by automating investigation and response workflows.

Key Takeaways

• AWS's detection and response services provide a comprehensive, integrated approach to cloud security.
• Centralized visibility, risk assessment, and response capabilities enable faster and more effective security operations.
• Shifting left by integrating security into development processes can prevent vulnerabilities from reaching production.
• Simplified pricing and deployment make it easier for customers to adopt and operationalize these security services.
• The combination of automated triage and human expertise in the Security Incident Response service helps customers quickly respond to and recover from security incidents.